---
title: "Data Processing Agreement"
summary: "Our commitment to protecting your data in compliance with GDPR, CCPA, and other data protection laws"
updated: "2025-07-27"
---

This Data Processing Agreement (“**DPA**”) forms part of the agreement between you (“**Customer**,” “**you**,” or “**your**”) and Fastrepl, Inc. (“**Company**,” “**we**,” “**us**,” or “**our**”), a Delaware corporation, as set forth in our Terms of Service (the “**Terms**”), Privacy Policy, and Cookie Policy (collectively, the “**Agreement**”). This DPA governs the processing of personal data by us or our third-party processors when you use Hyprnote (the “**Service**”), particularly for optional cloud-based AI models.

By using the Service, you agree to this DPA. If you do not agree, please do not enable cloud-based features or contact us at [support@hyprnote.com](mailto:support@hyprnote.com). Capitalized terms not defined here have the meanings given in the Terms or Privacy Policy.

## 1. Scope and Roles

- **Controller**: You, the Customer, are the data controller, determining the purposes and means of processing personal data (e.g., recordings, transcripts, or notes created via the Service, collectively “**Your Content**”).
- **Processor**: Fastrepl, Inc. acts as a data processor when processing Your Content for cloud-based AI models (if enabled). We engage third-party sub-processors (e.g., cloud service providers) to perform these functions, as listed in Annex II.
- **Application**: Local processing occurs on your device and is not subject to this DPA as no personal data is transferred to us. Cloud-based processing is initiated only when you explicitly enable cloud-based AI features through the Service’s settings, such as selecting ‘Enable Cloud Transcription’ or similar options.
- **Jurisdictions**: This DPA complies with data protection laws in the European Economic Area (EEA), United Kingdom, Switzerland, California (USA), and other applicable jurisdictions, as specified in the Terms’ Governing Law section.

## 2. Definitions

- **Personal Data**: Any information relating to an identified or identifiable natural person, as defined under applicable laws (e.g., GDPR Art. 4(1), CCPA § 1798.140(o)).
- **Processing**: Any operation performed on personal data, such as collection, storage, or analysis, as defined under applicable laws.
- **Data Subject**: An individual whose personal data is processed (e.g., meeting participants).
- **Applicable Data Protection Laws**: Includes GDPR, UK GDPR, Swiss Federal Act on Data Protection (FADP), CCPA/CPRA, and other relevant laws.

## 3. Processing Details

- **Subject Matter**: Processing of Your Content for cloud-based AI transcription or summarization, if enabled.
- **Duration**: Processing occurs only while cloud-based features are active and terminates upon your disabling of these features, deletion of Your Content, or termination of the Service.
- **Nature and Purpose**: Temporary processing to provide AI-powered transcription or summarization, as requested by you.
- **Types of Personal Data**: May include audio recordings, transcripts, notes, or metadata (e.g., participant names, if included in Your Content), as determined by you.
- **Categories of Data Subjects**: Meeting participants or individuals included in Your Content, as determined by you.
- **Customer Obligations**: You warrant that:
  - You have obtained explicit, informed consent from data subjects for recording and cloud processing, as required by law (e.g., GDPR Art. 6, one-party/all-party consent laws).
  - You must provide data subjects with a clear and conspicuous privacy notice prior to enabling cloud-based features, specifying the types of personal data processed, the purpose (e.g., AI transcription), and the involvement of sub-processors, as outlined in our Privacy Policy at /privacy-policy.
  - You will notify data subjects of cloud processing, as outlined in our Privacy Policy.

### 3.1 Use of Personal Data in AI Models

We do not use Customer Personal Data to train, retrain, or fine-tune large language models, machine learning algorithms, or other artificial intelligence systems unless expressly authorized in writing by the Customer and in accordance with Applicable Data Protection Laws.

Any anonymization or de-identification used for aggregate analytics or product improvement shall:

- Meet the standard set forth in CPRA § 1798.140(h) and GDPR Recital 26;
- Include contractual obligations prohibiting re-identification;
- Be subject to ongoing technical and organizational safeguards.

Significant effects include automated decisions that impact an individual’s legal rights, employment, or financial status. The Service does not currently perform such automated decision-making (e.g., profiling in meeting summaries) but will notify you and obtain consent if such features are introduced.

## 4. Processor Obligations

We agree to:

- Process personal data only on your documented instructions, as provided via the Service’s settings or written agreement, unless required by law.
- Ensure personnel processing personal data is bound by confidentiality obligations.
- Implement technical and organizational measures to protect personal data, as detailed in Annex I.
- Assist you in responding to data subject requests (e.g., access, deletion) under Applicable Data Protection Laws, subject to reasonable costs for excessive requests.
- Notify you without undue delay (within 72 hours where feasible) of any personal data breach, as required by GDPR Art. 33 or other laws.
- Assist you with data protection impact assessments (DPIAs) or prior consultations with supervisory authorities, where required by GDPR Art. 35–36.
- Delete or return personal data upon termination of cloud-based features, unless required to retain it by law.
- Provide information to demonstrate compliance with this DPA, including allowing audits (subject to reasonable notice and confidentiality).
- We will cooperate with inquiries from data protection authorities regarding the processing of Your Content and notify you of such inquiries unless prohibited by law, to enable you to fulfill your obligations as a controller.
- Audits under Section 4 are limited to once per calendar year and require 30 days’ written notice to [dpo@hyprnote.com](mailto:dpo@hyprnote.com). You will bear the reasonable costs of audits, including onsite inspections, unless a material breach of this DPA is identified, in which case we will cover such costs.

## 5. Sub-Processors

- **Authorization**: You authorize us to engage sub-processors listed in Annex II. We will notify you of changes to sub-processors via email or in-app message. Objections to sub-processor changes must be submitted in writing to [dpo@hyprnote.com](mailto:dpo@hyprnote.com) within 14 days, specifying the reasonable grounds for objection. If we cannot accommodate the objection, we may suspend data transfers to the new sub-processor or, if no alternative exists, terminate cloud-based services with notice, as per the Terms.
- **Obligations**: We ensure sub-processors are bound by written agreements imposing equivalent obligations to this DPA, including GDPR Art. 28 requirements.
- **Liability**: We remain liable for sub-processors’ compliance with this DPA, subject to the limitations in the Terms’ Limitation of Liability section. Our liability for sub-processor compliance does not apply to breaches resulting from your non-compliant instructions or misuse of the Service, as outlined in the Terms and Conditions.

## 6. International Data Transfers

- **GDPR Compliance**: For transfers of personal data from the EEA, UK, or Switzerland to countries without an adequacy decision (e.g., USA), we use the European Commission’s Standard Contractual Clauses (SCCs), as incorporated in Annex III. The Module 2 (Controller-to-Processor) SCCs apply.
- **Other Jurisdictions**: For data transfers from jurisdictions outside the EEA, UK, or Switzerland, we implement appropriate safeguards, such as contractual commitments or adequacy assessments, to ensure compliance with local data protection laws.
- **Customer Responsibility**: You ensure that data subjects are informed of international transfers, as required by law.

## 7. Data Subject Rights

- **Support**: We assist you in fulfilling data subject requests (e.g., access, rectification, deletion, portability) by providing tools in the Service’s settings or responding to written requests.
- **Direct Requests**: If we receive a data subject request, we will redirect it to you unless legally required to respond.
- **CCPA/CPRA Compliance**: For California residents, we support your obligations regarding consumer rights (e.g., opt-out of sale/sharing, deletion), noting that we do not sell personal data, but some analytics may constitute “sharing” under CCPA. You are responsible for providing California residents with a clear mechanism to opt out of any ‘sharing’ of personal data for analytics purposes, as defined under CPRA § 1798.140(ad), such as a ‘Do Not Sell or Share My Personal Information’ link, consistent with our Privacy Policy.

## 8. Security Measures

- **Commitment**: We implement industry-standard security measures, as detailed in Annex I, to protect personal data against unauthorized access, loss, or disclosure.
- **Customer Role**: You are responsible for securing Your Content on your device and ensuring compliance with recording laws, as outlined in the Terms’ Your Responsibilities section.
- **Breach Notification**: We notify you of security incidents impacting personal data. Breach notifications will include, to the extent known: (i) the nature of the breach; (ii) categories and approximate number of affected data subjects and records; (iii) likely consequences; and (iv) measures taken or proposed to mitigate harm. We will assist you in preparing notifications to supervisory authorities or affected data subjects.

## 9. Termination and Deletion

- **Termination**: Upon disabling cloud-based features, termination of the Service, or your request, we will delete or return all personal data, except where retention is required by law (e.g., for legal obligations).
- **Certification**: Upon your written request to [dpo@hyprnote.com](mailto:dpo@hyprnote.com), we will provide a written certification of personal data deletion within 30 days, subject to legal retention requirements.
- **Local Data**: Your Content stored locally on your device remains under your control and is not subject to this DPA.

## 10. Liability

- **Limits**: Our liability under this DPA is subject to the Terms’ Limitation of Liability section, capping liability at the greater of \$100 USD or fees paid in the prior 12 months, to the extent permitted by law.
- **GDPR Exception**: For GDPR-related liabilities, each party is responsible for damages caused by its non-compliance, as per GDPR Art. 82.
- **Indemnification**: You indemnify us against claims arising from your failure to obtain consent or comply with Applicable Data Protection Laws, as per the Terms’ Indemnification section.

## 11. Governing Law and Dispute Resolution

- **Governing Law**: This DPA is governed by the laws of the State of California, USA, without regard to conflict-of-law principles, except where preempted by mandatory local laws (e.g., GDPR for EEA/UK/Swiss residents), as specified in the Terms’ Governing Law section.
- **Disputes**: Disputes will be resolved through good-faith negotiation. Unresolved disputes will be handled in San Francisco, California courts, unless local laws grant you rights to your jurisdiction’s courts. For GDPR-related disputes, EEA/UK/Swiss residents may lodge complaints with local data protection authorities or seek remedies in their courts. Alternative dispute resolution (e.g., mediation) is encouraged, via [dpo@hyprnote.com](mailto:dpo@hyprnote.com).
- **Statutory Rights**: Nothing in this DPA limits your mandatory statutory rights under Applicable Data Protection Laws.

## 12. Miscellaneous

- **Changes**: We may update this DPA to reflect legal or operational changes. Material changes will be notified via email or in-app message at least 30 days before taking effect, as per the Terms’ Changes to Terms section.
- **Severability**: If any provision is invalid, the remaining provisions remain in force. Invalid provisions will be replaced to reflect the original intent.
- **Entire Agreement**: This DPA, together with the Agreement, constitutes the entire understanding between you and us regarding personal data processing, superseding prior agreements.
- **Contact**: For DPA-related inquiries, contact our Data Protection Officer at [dpo@hyprnote.com](mailto:dpo@hyprnote.com) or Fastrepl, Inc., 2261 Market St, Suite 85492, San Francisco, CA 94114, USA.

## Annex I: Security Measures

We implement the following technical and organizational measures:

- **Encryption**: Data in transit is encrypted using TLS 1.2 or higher.
- **Access Controls**: Role-based access is limited to authorized personnel with multi-factor authentication.
- **Data Minimization**: Only necessary personal data is processed for cloud-based features.
- **Incident Response**: 24/7 monitoring and documented breach response procedures.
- **Audits**: Regular security audits and penetration testing by third-party experts.
- **Sub-Processor Oversight**: Contracts with sub-processors require equivalent security measures.
- **Employee Training**: Annual data protection training for personnel handling personal data.
- **Pseudonymization**: Where feasible, personal data is pseudonymized to separate identifiable information from content, reducing risks during processing.
- **Retention**: Personal data is retained only for the duration of active cloud-based features or up to 30 days after a deletion request unless longer retention is required by law.
- **Backups**: Backup data is encrypted using AES-256 and stored with access restricted to authorized personnel under strict access controls.

## Annex II: List of Sub-Processors

| **Sub-Processor**                      | **Purpose**                                              | **Location** | **Safeguards**                                                                                                                                                 |
| -------------------------------------- | -------------------------------------------------------- | ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Sentry](https://sentry.io/)           | For logging errors                                       | USA          | GDPR/CCPA aligned DPA, prohibits sensitive data, deletion on request, customer audit rights                                                                    |
| [PostHog](https://posthog.com/)        | For logging clicks                                       | USA          | SOC 2 Type II, GDPR/CCPA-aligned DPA, strict use‑only data purpose clauses, hardware MFA, public audit transparency                                            |
| [AWS](https://aws.amazon.com)          | For integrating with 3rd party apps like GCal or Outlook | USA          | Encryption in transit & at rest, strict access controls, incident response plans, privacy‑focused vendor management, confidentiality contracts, staff training |
| [Keygen](https://keygen.sh)            | For issuing licenses for Hyprnote Pro                    | USA          | Strong MFA, cryptographically signed APIs/licenses, automated vulnerability scanning, penetration testing, GDPR DSR support                                    |
| [Stripe](https://stripe.com)           | For payment processing                                   | USA          | Vendor security assessments, audit rights, DPA and Data Privacy Framework compliance, data localization options                                                |
| [Linear](https://linear.app)           | For collaborating with teammates                         | USA          | SOC 2 Type II, HIPAA (BAA available), GDPR‑compliant DPA, sub‑processor assessments, admin controls, audit logging, secure data deletion/portability           |
| [GitHub](https://github.com)           | For hosting our codebase                                 | USA          | Public sub‑processor list, contractual commitments, advance notification of changes                                                                            |
| [CrabNebula](https://crabnebula.cloud) | For CI/CD                                                | USA          | SSL/TLS, least‑privilege models, internal and external CI/CD audits, GDPR‑only data residency EU                                                               |

**Note**: Sub-processor list is maintained at the above URL and updated as needed. You will be notified of changes per Section 5.

## Annex III: Standard Contractual Clauses

The European Commission’s Standard Contractual Clauses (Controller-to-Processor, Module 2) are incorporated by reference and apply to personal data transfers from the EEA, UK, or Switzerland. Key details:

- **Data Exporter**: Customer (you), as controller.
- **Data Importer**: Fastrepl, Inc., as processor.
- **Governing Law for SCCs**: Ireland (for EEA), UK law (for UK), Swiss law (for Switzerland).
- **Competent Authority**: Customer’s local supervisory authority (e.g., Irish Data Protection Commission for EEA).
- **Docking Clause**: Enabled for additional parties.
- **Annexes**: Security measures (Annex I), sub-processors (Annex II), and processing details (Section 3) are incorporated into the SCCs.

For the full SCC text, see https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

By enabling cloud-based features, you agree to this DPA and the SCCs where applicable. Thank you for trusting Hyprnote with your data\!

### Annex IV – UK International Data Transfer Addendum (2022 Version)

This Addendum is entered into by the parties as required under the UK GDPR and is completed in accordance with the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0 issued by the UK Information Commissioner under S119A(1) of the Data Protection Act 2018, effective 21 March 2022.

**Table 1: Parties**

- **Exporter:** Customer (you), as Data Exporter
- **Importer:** Fastrepl, Inc., as Data Importer
- **Exporter Contact:** As provided in Service account
- **Importer Contact:** [dpo@hyprnote.com](mailto:dpo@hyprnote.com)

**Table 2: Selected SCCs**

- Addendum applies to Module 2 SCCs as included in Annex III

**Table 3: Appendix Information**

- Annex I(A–C), Annex II (sub-processors), and Section 3 of the DPA

**Table 4: Addendum Mandatory Clauses**

- The Mandatory Clauses of the UK Addendum, as published by the ICO, are incorporated by reference.

By enabling cloud-based features and transferring personal data from the UK, the Customer agrees to the terms of this Addendum.

### Annex VII – Swiss Addendum to Standard Contractual Clauses (SCCs)

This Addendum supplements the European Commission’s Standard Contractual Clauses (Module 2, Controller-to-Processor) incorporated in Annex III for transfers of personal data originating from Switzerland, in accordance with the revised Swiss Federal Act on Data Protection (revFADP, effective September 1, 2023) and guidance from the Swiss Federal Data Protection and Information Commissioner (FDPIC).

**Adaptations for Swiss Law:**

1. **Applicable Law and Jurisdiction:**
   - Clause 17 of the SCCs (Governing Law) shall refer to the laws of **Switzerland**.
   - Clause 18(b) of the SCCs (Choice of Forum and Jurisdiction) shall refer to the **courts of Switzerland**.
2. **Supervisory Authority:**
   - References to the “competent supervisory authority” shall be interpreted as the **Swiss Federal Data Protection and Information Commissioner (FDPIC)**.
3. **Scope:**
   - This Addendum applies to personal data that is:
     - Subject exclusively to the Swiss FADP; or
     - Subject to both Swiss FADP and EU/EEA GDPR (in parallel).
4. **Terminology:**
   - References in the SCCs to:
     - “General Data Protection Regulation” or “GDPR” shall include the Swiss FADP where applicable.
     - “Member State” shall be understood to include **Switzerland**.
5. **Docking Clause:**
   - Clause 7 of the SCCs (Docking Clause) remains enabled and includes Swiss transfers as applicable.
6. **Conflicts:**
   - In the event of any conflict between the SCCs and this Addendum, the terms of this Addendum shall prevail for data transfers from Switzerland.
